Aqua Security today updated its container security platform to add support for Kubernetes and the ability for developers to embed security controls directly in a container image.
In addition to support for Kubernetes in the core Aqua container security platform, the latest version includes MicroEnforcer capability, which eliminates the need for a separate “sidecar” instance of a container to enforce security policies.
Rani Osnat, vice president of product marketing for Aqua Security, says that deploying a container sidecar remains a perfectly viable approach—it’s generally better from a container overhead perspective to minimize the number of containers required. At the same time, not every developer is comfortable creating and implementing security policies. In those cases, a security policy enforced by a container and added to the application may be preferable. Aqua Security is now allowing organizations to manage both approaches from a central console.
Kubernetes has become a de facto standard, but from a security perspective is still not well-understood. Version 3.0 of Aqua provides a mechanism to invoke the webhook admission controller in Kubernetes to create fine-grained user access control roles and policies via Aqua labeling technology. That approach improves overall efficiency because policies now can be applied to groups of containers rather than being manually attached to each container.
Aqua now can prevent Kubernetes from running unapproved images across entire clusters, providing a more efficient mechanism that scales across large deployments, while an Aqua container-level firewall can be employed to control network traffic based on Kubernetes namespaces, clusters or deployments. The firewalls allow administrators to enforce network segmentation to limit lateral movement of malware.
In addition, Aqua now incorporates CIS Kubernetes benchmark checks alongside updated Docker CIS benchmark checks, which can run daily to create reports that can be exported for compliance. Aqua event logging now also captures Kubernetes-specific information such as pod name, type, deployment and namespace data.
These capabilities are critical because organizations need to be able to clearly demonstrate complete separation of duties for an auditor, says Osnat. Despite a desire to move more security to the “left” as part of the DevSecOps movement, Osnat notes that having the same people who wrote the code being held accountable for determining its level of security isn’t viable. Developers should be incentivized to write more secure code. But there will always be a requirement for separation of duties between developers and cybersecurity professionals, says Osnat.
Historically, security issues have always trailed the mainstream adoption of emerging technologies in product environments. It’s not clear yet if the rise of containers will be any different. Osnat notes that already overtaxed cybersecurity professionals are not exactly encouraging developers to deploy new platforms they don’t yet know all that well. While containers may make applications more resilient, all those additional modules of code tend to make maintain cybersecurity more complex.